On 19/07/2010 8:37 AM, Johnny Ferguson wrote:
> Recently I've been seeing a lot of activity in /var/log/auth.log (of the
> sshd sort). Sometimes 5 straight hours of brute force attacks.
Yikes! I guess I should start checking my logs too.
> SO, just wondering what advice anyone could offer on hardening SSH. I
> might be a little paranoid, but I think it's still in the range of being
> healthy.
As Dave Cramer mentioned, it is best to use public key authentication
instead of username/password authentication. The odds of a brute-force
attack succeeding go up dramatically. I suspect that no one even
bothers, and instead goes after the ssh servers that use
username/password authentication. This can be a bit of a hassle
however, as you need to have your keypair available whenever you want to
sign in to your ssh server.
> P.S. How do 2 machines determine an encryption key and communicate this
> to eachother without giving the key away? Are there any good articles on
> how SSH works and what potential vulnerabilities are?
SSH uses the Diffie-Hellman Key Exchange protocol to establish a shared
secret for the session. It's pretty cool stuff, the Wikipedia article*
has a pretty good explanation of the theory. You might want to read a
bit about modular arithmetic** first if you don't already understand it.
RFC4419*** describes some of the security considerations surrounding the
DH process.
* http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
** http://en.wikipedia.org/wiki/Modular_arithmetic
*** http://www.ietf.org/rfc/rfc4419.txt